The attack abuses existing LinkedIn accounts to distribute the phishing links to their contacts, but also to leverage the InMail feature to target external members. The campaign abuses long standing and trusted accounts, including Premium membership accounts that can use the InMail feature to contact other LinkedIn users.

The fraudulent message claims to link to a shared document but instead redirects to a phishing site for Gmail and other email providers. To ensure that victims don’t immediately realize they’ve been scammed, a decoy document on wealth management from Wells Fargo is displayed after the user is asked to input their username, password, and phone number.

The phishing message Malwarebytes has encountered came from a trusted, compromised contact and contained a link to a so called shared Google Doc. The Ow.ly URL shortener is used to hide the true URL used in the scheme, a method employed many times in previous phishing campaigns. Free hosting provider gdk.mx was also abused to redirect to a phishing page hosted on a hacked website.

The analyzed page was built as a Gmail phish, but also asks for Yahoo or AOL user names and passwords. It also asks users to input their phone number or a secondary email address before displaying the decoy Wells Fargo document to them.

Messages sent via InMail, which allow premium LinkedIn members to contact users who aren’t in their network, include a security footer message with the user’s name and professional headline, so that other members can distinguish authentic LinkedIn emails from phishing email messages. However, the platform also warns users that they can’t trust the content of these messages, even if they are sent via LinkedIn.

Malwarebytes also points out that the use of InMail, which requires a Premium account, comes at a hefty monthly cost. While spammers were seen upgrading free accounts only to send spam messages, the method couldn’t be used in large scale attacks, due to limited InMail credits.

“This limitation does not apply here though since the crooks are not creating (and paying for) their own accounts, but rather leveraging existing ones. Therefore, they have little to worry about burning free credits and tarnishing their victim’s reputation so long as it allows them to deliver their payload far and wide,” the security researchers note.

According to Malwarebytes, the number of compromised accounts isn’t known and is also unclear how the impacted LinkedIn accounts were compromised. Attackers might have abused the large scale LinkedIn breach that was disclosed last year, but could have also gained access to the compromised account by using data from other major data breaches.

“It’s also unclear whether the shortened URLs are unique per hacked account or not, although we think they might be. The user whose account was hacked had over 500 connections on LinkedIn and based on Hootsuite‘s stats, we know 256 people clicked on the phishing link,” Malwarebytes says.

LinkedIn members who have been compromised should immediately review their account’s settings, change their password and enable two-step verification to prevent further compromise. They are also advised to warn their contacts of the compromise, as previous messages could be part of similar phishing attempts.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.